Firewall Best Practices Guide

Hardening your router for production environments.

Prerequisite: If hardening tunnel or VLAN interfaces, ensure you have completed VPN Tunnels or VLAN Configuration before proceeding.

Prerequisites

• RouterOS: v7 or later.
• Hardware: Any supported RouterOS-based model.
• Access: WinBox, SSH, or serial console. Serial/console required before applying Input rules.

Pre-Flight Requirements

• Backup current configuration (Export RSC).
• Ensure console or serial access is available.
• Verify Input chain drop rules do not lock out management access.

Input Chain Hardening

Standard v7 Input chain model: drop invalid first, allow established/related, accept ICMP, allow management interfaces, drop remainder.

/ip firewall filter add chain=input connection-state=invalid action=drop place-before=0 comment="drop invalid"
/ip firewall filter add chain=input connection-state=established,related action=accept place-before=1 comment="allow established/related"
/ip firewall filter add chain=input protocol=icmp action=accept place-before=2 comment="allow ICMP"
/ip firewall filter add chain=input in-interface-list=LAN action=accept place-before=3 comment="allow LAN management"
/ip firewall filter add chain=input action=drop place-before=4 comment="drop all others"

Export Backup (RSC)

/export file=backup-before-firewall

Related Procedures

VPN Tunnels — tunnel policies require Input/Forward chain rules. VLAN Configuration — apply firewall rules per VLAN interface as needed.

Recovery

If Input rules lock you out, use Netinstall Recovery to restore access.

Common Pitfalls

• Rule order: Drop invalid first, then established,related, then ICMP, then management, then drop. Wrong order causes lockout or traffic loss.
• Management lockout: Allow LAN or management interface before the final drop. Test from console first.
• Forward chain: For routing/NAT, Forward chain rules are separate. Input protects the router; Forward protects transit traffic.
• place-before: Use place-before=0 to insert at top. Verify order with /ip firewall filter print.